OSSEC generally reads the current logfiles, like /var/log/secure and /var/log/messages. When a log is rotated, OSSEC notes this (there's an alert for it, but I don't remember the ID), and re-opens the current logfile. It does not touch the old logfiles (like /var/log/messages.1.gz).
On Mon, Feb 28, 2011 at 4:46 PM, satish patel <[email protected]> wrote: > One more question how ossec going to read logs file ? I meant it going > to read all logs like secure.* including gz compressed ? so what > rotation should i use for logs > > -Satish > > On Mon, Feb 28, 2011 at 4:44 PM, satish patel <[email protected]> wrote: >> It started locally and remotely. Thanks >> >> -satish >> >> On Mon, Feb 28, 2011 at 4:41 PM, dan (ddp) <[email protected]> wrote: >>> On Mon, Feb 28, 2011 at 4:36 PM, satish patel <[email protected]> wrote: >>>>> Are you asking about the manager or the agents? >>>>> I thought you were asking about the agents. I thought you wanted to be >>>>> able to monitor the local logs with OSSEC and also have syslog forward >>>>> the logs to splunk. Did I misunderstand? >>>> >>>> I am asking about agents. And yes i want both my agent monitor local >>>> logs and also syslog forward them to splunk. so in short both. >>>> >>>>> You CAN do both. I do both. But you have to configure syslog to do both. >>>> >>>> How do i configure syslog to add logs messages in both /var/log and >>>> forward them to splunk as well. >>>> >>>> >>> >>> Syslog was originally configured to log to local files. Put that >>> configuration back in place. >>> At the end of the file add your remote syslog line: >>> *.* @logserver1 >>> >>> Then restart the syslog daemon. It should log locally and remotely. >>> >>>> >>>> >>>> On Mon, Feb 28, 2011 at 4:26 PM, dan (ddp) <[email protected]> wrote: >>>>> On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >>>>>>> Try reverting the configuration to how it was before you made the >>>>>>> changes. >>>>>> >>>>>> Before my syslog configured for local files /var/log/* But my >>>>>> requirement is splunk + ossec >>>>>> >>>>> >>>>> Are you asking about the manager or the agents? >>>>> I thought you were asking about the agents. I thought you wanted to be >>>>> able to monitor the local logs with OSSEC and also have syslog forward >>>>> the logs to splunk. Did I misunderstand? >>>>> >>>>> If you want OSSEC to monitor the logs, they have to be written >>>>> somewhere for OSSEC to read them (for example, in /var/log). If you >>>>> want them to be forwarded to another system, you add a line like the >>>>> following: >>>>> *.* @logserver1 >>>>> >>>>> You CAN do both. I do both. But you have to configure syslog to do both. >>>>> >>>>>> OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) >>>>>> syslogd 1.4.1 >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Satish Patel >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >>>>>>> Try reverting the configuration to how it was before you made the >>>>>>> changes. >>>>>>> If you need help with that, maybe providing some of this info could >>>>>>> help someone provide the correct info: >>>>>>> What OS/distro? >>>>>>> What syslog daemon (version and implementation)? >>>>>>> >>>>>>> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> >>>>>>> wrote: >>>>>>>> Hi Dan, >>>>>>>> >>>>>>>> I have following line in my syslog.conf (send all messages to >>>>>>>> logserver1 which is splunk) >>>>>>>> >>>>>>>> *.* @logserver1 >>>>>>>> >>>>>>>> >>>>>>>> I have checked my /var/log/messages and /var/log/secure and look like >>>>>>>> syslog had stopped appending logs in local file. How do i enable it ? >>>>>>>> I want both option local and remote syslog. >>>>>>>> >>>>>>>> -Satish >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>>>>>>> Hi Satish, >>>>>>>>> Do these systems log to both a local file and a remote syslog system? >>>>>>>>> If so, they can easily parse the local log files without issues. >>>>>>>>> I have a number of systems setup this way. >>>>>>>>> >>>>>>>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> >>>>>>>>> wrote: >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> In our network we have splunk centralized log server for all >>>>>>>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>>>>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>>>>>>> is how ossec agent will parse log file while those boxes sending log >>>>>>>>>> to splunk server via syslog ? >>>>>>>>>> >>>>>>>>>> How do i configure splunk vs ossec logs monitoring ? >>>>>>>>>> >>>>>>>>>> -Satish >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
